Closed
Bug 400744
Opened 17 years ago
Closed 17 years ago
Pure virtual function call and crash invoking context menu
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: john_mcdonnell, Assigned: smaug)
References
()
Details
(4 keywords)
Attachments
(1 file, 2 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8 When I click the right mouse button to invoke the context menu on certain web pages, Firefox 2.0.0.8 crashes with a "Pure virtual function call" error. This problem does NOT happen with Firefox 2.0.0.7. Reproducible: Always Steps to Reproduce: Using Firefox 2.0.0.8 (not 2.0.0.7) on either Windows XP SP2 or Windows 2003 SP1 (both fully patched): 1. Go to http://www.bindows.net/demos/ 2. Click the "Bindows Quick Demo" link (a popup will launch) 3. Click the "Grids and Trees" tab 4. Right click twice (sometimes three times) inside the table. -> Get the "pure virtual function call" error. Actual Results: Pure virtual function call error. Expected Results: A browser-drawn (DHTML) menu appears. Talkback info was submitted and is attached. Also is attached is an attempt at getting a stack trace using WinDbg on Windows 2003.
This is what WinDbg output reported when run on a retail (sorry, not a debug version) Windows 2003 machine. I also tried a Windows XP machine, but was could not get WinDbg to give me a stack trace; instead, the "Pure virtual function call" dialog appeared instead. On the Windows 2003 box, the "Pure virtual function call" dialog did not appear.
Additional info for keyword searchers: R6025
Keywords: crash
Here's a screenshot from my WinXP SP2 machine. Talkback was not enabled. The text is: ------------------- Runtime Error! Program: c:\Program Files\Mozilla_Firefox_2_0_0\firefox.exe R6025 - pure virtual function call ---------- with an OK button.
Comment on attachment 285773 [details] Copy and paste from Talkback reporter: you can't get useful information from the talkback client. please see a wiki page for information on how to get your incident id. In this case, I spent the time to retrieve your incident for you (and it took way too long, so I hope never to need to do it again): Incident ID: 37241314 Stack Signature Detecting 2fc684bf Product ID Firefox2 Build ID 2007100816 Trigger Time 2007-10-22 13:32:11.0 Platform Win32 Operating System Windows NT 5.2 build 3790 Module js3250.dll + (0003224c) URL visited http://www.bindows.net/demos/ User Comments 1) Click "Bindows Quick Demo" 2) Click "Grids and Tree" 3) Right click two or three times. Since Last Crash 24 sec Total Uptime 24 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8-Release/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3122 Stack Trace Detecting [mozilla/js/src/jsobj.c, line 3122] js_LookupProperty [mozilla/js/src/jsobj.c, line 3165] js_GetProperty [mozilla/js/src/jsobj.c, line 3543] nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243] nsXPCWrappedJSClass::DelegatedQueryInterface [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 633] nsXPCWrappedJS::QueryInterface [mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 106] nsEventListenerManager::HandleEvent [mozilla/content/events/src/nsEventListenerManager.cpp, line 1752] nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2232] nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255] nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255] nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255] nsXULElement::HandleDOMEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255] nsXULElement::HandleChromeEvent [mozilla/content/xul/content/src/nsXULElement.cpp, line 2897] nsGlobalWindow::HandleDOMEvent [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1761] nsDocument::HandleDOMEvent [mozilla/content/base/src/nsDocument.cpp, line 4099] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2269] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsGenericElement::HandleDOMEvent [mozilla/content/base/src/nsGenericElement.cpp, line 2261] nsEventStateManager::DispatchMouseEvent [mozilla/content/events/src/nsEventStateManager.cpp, line 2797] nsEventStateManager::NotifyMouseOver [mozilla/content/events/src/nsEventStateManager.cpp, line 2922] nsEventStateManager::GenerateMouseEnterExit [mozilla/content/events/src/nsEventStateManager.cpp, line 2954] nsEventStateManager::PreHandleEvent [mozilla/content/events/src/nsEventStateManager.cpp, line 567] PresShell::HandleEventInternal [mozilla/layout/base/nsPresShell.cpp, line 6468] PresShell::HandleEvent [mozilla/layout/base/nsPresShell.cpp, line 6310] nsViewManager::HandleEvent [mozilla/view/src/nsViewManager.cpp, line 2566] nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 2253] HandleEvent [mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1319] nsWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6329] ChildWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6576] nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1507] USER32.dll + 0x1b6e3 (0x7739b6e3) USER32.dll + 0x1b874 (0x7739b874) USER32.dll + 0x1ba92 (0x7739ba92) USER32.dll + 0x1bad0 (0x7739bad0) nsAppShell::Run [mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152] main [mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x2f23b (0x77e6f23b) However, detecting shouldn't be a Pure Virtual crash
Attachment #285773 -
Attachment is obsolete: true
Comment on attachment 285774 [details] WinDbg output / stack trace from Windows 2003 In order o use windbg w/ firefox, you need to have symbols, see: http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg I think this is one of a dozen pages that migh explain how to get a talkback incident id (again, you don't need it for the incident you've already reported as I retrieved it in comment 5): http://kb.mozillazine.org/Talkback
Attachment #285774 -
Attachment is obsolete: true
Comment 7•17 years ago
|
||
This is worksforme, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8 John, if you can reproduce this consistently, you could try out older branch builds (directories ending with mozilla-1.8) to see in which of the builds it started crashing: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/
Updated•17 years ago
|
Flags: blocking1.8.1.10?
Comment 8•17 years ago
|
||
WFM, Firefox 2.0.0.8 on Windows XP, Vista and Linux. John, can you reproduce the crash in Firefox Safe Mode? (it temporarily disables add-ons and themes, this test will help us narrow down the cause of the problem) -- See http://kb.mozillazine.org/Safe_Mode
Good news, bad news. The good news is that I can reproduce the crash in safe mode, with or without a debugger. I can reproduce it in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-05-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip but not in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-03-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip . So it looks like the problematic checkin happened between 10-03 and 10-05 (thanks, Martin). The bad news is that I can no longer reproduce the problem with the original URL http://www.bindows.net/demos/ and repro steps. I can still reproduce the problem, though, but the web site that I'm using is only on my company's intranet. (A little background here: the intranet site was written using the Bindows JavaScript toolkit from the URL above). The Bindows site may have been patched to work around the problem. Another piece of bad news is that I cannot get a stack trace by following the instructions at http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg . I tried WinDbg and MS VC++ 2005 Express I get errors such as: 'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\firefox.exe', No symbols loaded. ...snip MS binaries.... 'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\js3250.dll', No symbols loaded. ...etc.... for all of the Firefox binaries. I'm new to using a debugger, but it looks like the symbols aren't getting downloaded.
Comment 10•17 years ago
|
||
John, thanks for finding out the regression range. This is a bonsai links that contains all the check-ins to the 1.8 branch: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-10-03+03&maxdate=2007-10-05+04&cvsroot=%2Fcvsroot Maybe somehow a regression from bug 384105? Unfortunate that it doesn't work anymore on the bindows demo site. An example/testcase that reproducible crashes would be very helpful.
Comment 11•17 years ago
|
||
Maybe the symbol server have symbols for 2.0.0.8? http://developer.mozilla.org/en/docs/Using_the_Mozilla_symbol_server
Component: OS Integration → General
QA Contact: os.integration → general
Comment 12•17 years ago
|
||
Looks like a branch regression...
Keywords: regression
Version: unspecified → 2.0 Branch
Updated•17 years ago
|
Flags: blocking1.8.1.9?
Reporter | ||
Comment 13•17 years ago
|
||
Mats, I *had* read that page on using the symbol server. I still don't get symbols downloaded to my machine. See http://developer.mozilla.org/en/docs/Talk:Using_the_Mozilla_symbol_server for gory details. All - sorry, I still don't have a site where it can be demoed.
Comment 14•17 years ago
|
||
The referred site, http://www.bindows.net/demos/ does no longer reproduce the problem. Since this is our public demos, we worked around the issue temporarily by adding a short break (timer) in the rendering of a context meny. In isolated testcase posted by Marcus Better in #400976 reproduces the issue Some additional observations: In some cases, the browser indeed crashes, in others such as using a slower computer or running the Linux version of 2.0.0.8, the context menu disappears just after showing.
Assignee | ||
Comment 15•17 years ago
|
||
Are there any ways to reproduce this? The patch in bug 400976 may or may not help with this.
Comment 16•17 years ago
|
||
(In reply to comment #15) > Are there any ways to reproduce this? I've put an unpatched version of the demo referred to above at http://www.better.se/bindows/test/ for the time being.
Comment 17•17 years ago
|
||
Ooh, thanks! I reproduced it right away. Now I can check to see if the patch in 400976 really does fix it, or if it's a separate problem. In a debug build I crashed in js_LookupPropertyWithFlags, below that it was the same as comment 5. Looks like an uninitialized variable (0xcccccccc in a debug build).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 18•17 years ago
|
||
i can confirm this crash. Does not crash on Firefox 2.0.0.6/2.0.0.7 and does crash on Firefox 2.0.0.8 with the steps to reproduce
Comment 19•17 years ago
|
||
The patch in bug 400976 fixes the crash for me on the test version of bindows linked from comment 16 For a potential branch update I don't think we should mark this a duplicate of bug 400976, for testing purposes and clarity.
Assignee: nobody → Olli.Pettay
Comment 20•17 years ago
|
||
This bug is fixed by the checkin from Bug 400976 -> Fixed verified fixed 1.8.1.9 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.9) Gecko/2007102514 Firefox/2.0.0.9 (Firefox 2.0.0.9 RC1) and the testurl from comment #16. I do not crash on the RC1 on this link anymore, so adding the verified keyword.
Reporter | ||
Comment 21•17 years ago
|
||
Changed URL in bug to the test site from comment #16 (thanks, Marcus).
Updated•17 years ago
|
Flags: in-testsuite?
Comment 22•17 years ago
|
||
This was also checked into the 1.8 branch --> fixed1.8.1.10
Keywords: fixed1.8.1.10
Updated•17 years ago
|
Flags: blocking1.8.1.9?
Flags: blocking1.8.1.9+
Flags: blocking1.8.1.11?
Flags: blocking1.8.1.10+
Comment 23•17 years ago
|
||
the test case from comment #16 is no longer available, so its not possible to verify this bug for 1.8.1.10 currently
Comment 24•17 years ago
|
||
(In reply to comment #23) > the test case from comment #16 is no longer available, so its not possible > to verify this bug for 1.8.1.10 currently Sorry, I thought you were already done with this bug. The test case is back now. (Please tell me when I can remove it.)
Comment 25•17 years ago
|
||
(In reply to comment #24) > (In reply to comment #23) > > the test case from comment #16 is no longer available, so its not possible > > to verify this bug for 1.8.1.10 currently > > Sorry, I thought you were already done with this bug. The test case is back > now. (Please tell me when I can remove it.) > hi Marcus, many thanks for putting this online again. I can now verify this bug also fixed for 1.8.1.10 with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.10) Gecko/2007111504 Firefox/2.0.0.10 - no crash on testcase and so the bug is completely done verified now. thanks for your help again. - adding verified keyword
Keywords: fixed1.8.1.10 → verified1.8.1.10
Comment 26•17 years ago
|
||
We need to get a version of this test into our automated test suite, if possible. We wouldn't want to regress this in a few days because of some other change...
You need to log in
before you can comment on or make changes to this bug.
Description
•